Impact
The attacker could make a Meteor call to validateAuthToken using a victim's userId and meetingId, and including an invalid authToken. This forced the victim to leave the conference, because the resulting verification failure was also observed and handled by the victim's client. The attacker had to be a participant in any meeting on the server.
Workarounds
No Workarounds
References
We refactored the authToken validation such that clients only handle answers to its own validation requests.
Patch in BigBlueButton 2.5-alpha-1 | #13601
patch in BigBlueButton 2.4.3 | #14295
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
The attacker could make a Meteor call to
validateAuthTokenusing a victim's userId and meetingId, and including an invalid authToken. This forced the victim to leave the conference, because the resulting verification failure was also observed and handled by the victim's client. The attacker had to be a participant in any meeting on the server.Workarounds
No Workarounds
References
We refactored the authToken validation such that clients only handle answers to its own validation requests.
Patch in BigBlueButton 2.5-alpha-1 | #13601
patch in BigBlueButton 2.4.3 | #14295
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.